ATT-05 - clarify language on refresh token duration

[cooperthompson]

Subject of the issue The text of ATT-05 is currently this: Health IT Module attested that refresh tokens are valid for a period of no shorter than three months.

This can be interpreted that any and all refresh tokens issued must be valid for a period no shorter than 3 months.

I recommend updating to this: Health IT Module attested that the Health IT Module is capable of issuing refresh tokens that are valid for a period of no shorter than three months.

Our system gives the patient control over how long the refresh token duration is. The patient can pick 3 months (or even longer), but they can also pick a shorter duration (down to 1 hour). The proposed language would clarify that the system under test must be capable of 3 month refresh tokens, but not all refresh tokens will necessarily have that validity period.

The ONC g10 test procedure language seems to permit differing token expirations, because it says that the HIT module must have "the ability" to issue tokens with the 3 month expiration:

https://www.healthit.gov/test-method/standardized-api-patient-and-population-services [Both] The tester verifies the ability of the Health IT Module to grant a refresh token valid for a period of no less than three months to native applications capable of securing a refresh token.

[cooperthompson]

Sorry for being nit picky on language :/.

[yunwwang]

No, I think this is reasonable. I will take a deeper look on the test procedure to confirm the change.